This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites.
Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released two security advisories:
- CVE-2022-31090: CURLOPT_HTTPAUTH option not cleared on change of origin
- Change in port should be considered a change in origin
The Security Team believes it is unlikely Drupal core or contributed modules are affected, but this release updates the dependency as a security hardening.
Drupal 9.3.x will receive security coverage until December 2022.
If you are upgrading from Drupal 8, read upgrading a Drupal 8 site to Drupal 9, 9.0.0 release notes, and the 9.3.0 release notes before upgrading to this release.
Important update information
- Drupal core now requires guzzlehttp/guzzle 6.5.8 or higher (up from 6.5.8).
The latest guzzle versions also require guzzlehttp/psr7 1.9 or higher (up from 1.8.5), so that package is updated as well.
Since the above change to guzzlehttp/psr7 requires a minor-level package update, sites will not be able to update the dependency themselves as outlined in this week's PSA.
Site owners who do not use drupal/core-recommended should take care to ensure they do not accidentally update to Guzzle 7 when running composer updates. Review the instructions for managing Guzzle updates without drupal/core-recommended.
- No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so updating custom versions of those files is not necessary if your site is already on the previous release.